I have a client using Cisco VPN Client to establish a VPN to a 3005 Concentrator. (Ver. 4.0.1) I am also using the 3005 to establish VPNs to remote PIX firewalls. The VPN Clients are using an address pool that is not on any other network.
Question: Can that client VPN to the 3005, and use an existing tunnel to a remote site? My intuition says no, since they are both being created on the external interface. I know it is possible to create a second tunnel on the PIX to route packets going to a specific IP range (i.e., the DMZ on the remote PIX), but that setup has only been tested from the internal networks (one tunnel to access the remote site's internal network, the other tunnel to access the DMZ). Can packets be routed from the 3005 to accomplish the same thing?
I can send a diagram if that will help. Any assistance would be appreciated.
YEs, if the head-end device is a 3005 this will work. It will not work if the head-end device is a PIX though.
On the 3005, just include the VPN pool of addresses in the Local Subnet for the LAN-to-LAN tunnels (you'll probably need to create a Network List to do this), and on each remote PIX, add another line in its crypto and nat 0 ACL's that specify traffic from the local PIX subnet going to the VPN pool of addresses.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :